IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt

Greg Hudson <ghudson@mit.edu> Mon, 09 February 2015 21:33 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574941A883B for <kitten@ietfa.amsl.com>; Mon, 9 Feb 2015 13:33:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDVi6ws-UNyW for <kitten@ietfa.amsl.com>; Mon, 9 Feb 2015 13:33:25 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B85701A1A48 for <kitten@ietf.org>; Mon, 9 Feb 2015 13:33:24 -0800 (PST)
X-AuditID: 1209190d-f792d6d000001fc7-10-54d927a3e05b
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 36.9F.08135.3A729D45; Mon, 9 Feb 2015 16:33:23 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t19LXMBr028377; Mon, 9 Feb 2015 16:33:23 -0500
Received: from [18.101.9.202] (vpn-18-101-9-202.mit.edu [18.101.9.202]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t19LXK6p003613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 9 Feb 2015 16:33:22 -0500
Message-ID: <54D9279B.9020209@mit.edu>
Date: Mon, 09 Feb 2015 16:33:15 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Michiko Short <michikos@microsoft.com>, "kitten@ietf.org" <kitten@ietf.org>
References: <BL2PR03MB2125C0B7BFEA7D6E1999896D0270@BL2PR03MB212.namprd03.prod.outlook.com>
In-Reply-To: <BL2PR03MB2125C0B7BFEA7D6E1999896D0270@BL2PR03MB212.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixG6nortY/WaIwfQWJYujm1exWPzr5nNg 8liy5CeTR+uOv+wBTFFcNimpOZllqUX6dglcGb2b3rMVfOCrOND3na2BcR5PFyMnh4SAicSu iYtZIGwxiQv31rN1MXJxCAksZpL4tnAqM4SzgVFi0cpnjBDOYSaJH/tbWUFaeAXUJJb2nQCz WQRUJa48mAdmswkoS6zfvxVsrKhAmMT3zTuYIeoFJU7OfAIU5+AQEYiQmNsaCxIWFvCW6Dx0 nQnEFhKIkrh+4z7YGE6BaImN96aAjWEW0JPYcf0XK4QtL9G8dTbzBEaBWUimzkJSNgtJ2QJG 5lWMsim5Vbq5iZk5xanJusXJiXl5qUW6Rnq5mSV6qSmlmxhBYcopybuD8d1BpUOMAhyMSjy8 FR+vhwixJpYVV+YeYpTkYFIS5f0ifzNEiC8pP6UyI7E4I76oNCe1+BCjBAezkgjvjzM3QoR4 UxIrq1KL8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4F6sBDRUsSk1PrUjLzClB SDNxcIIM5wEarg1Sw1tckJhbnJkOkT/FqCglzjsFJCEAksgozYPrhaWRV4ziQK8I88aAVPEA UxBc9yugwUxAgwsKQK4uLklESEk1MC7+IapkcqXlQn/n99+qrv+SY29PY0plnWEeWPxl9Zvq 5roFDc7f3vQp3P4+o+jWi523FB4LMO8rVnq6/4RR3oukvsz3x69oPn/jdpn75dKlRl2XtOJ7 7BdYTzzq2qXxMtq1z7BIe3PMoZpF9V2a4h8iWv1ykp7+nKS5v6hux8FfanPmPLm1e74SS3FG oqEWc1FxIgB2fqGP/gIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/PRGAUXdaHpkTPmybY-hDiQGiRUk>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 21:33:27 -0000

On 02/09/2015 04:18 PM, Michiko Short wrote:
> 1. Is this padata type needed at all?  
> 
> My understanding (confirmed by Sam) is that RFC 4120 extensibility guidelines require that the KDC ensure the clients understand the response. I am open to discussion.

Surely clients must ignore unknown preauth types in a preauth-required
error.  Otherwise all new preauth methods (including specified ones such
as PKINIT and OTP) would have required an indication of client support
in the request.

> 4. The draft defines "PA-AS-FRESHNESS ::= OCTET STRING".  Is it desirable to wrap the freshness token in a DER OCTET STRING tag, or could we just transmit the value directly within the padata-value?  Of course the value still needs to have type OCTET STRING within the PKAuthenticator.
> 
> If we skip the OCTET STRING definition then we need to specify that the padata-value directly is the freshness octet string (i.e., no wrapping in the padata-value OCTET STRING). The PKAuthenticator needs to specify that the freshnessToken component is an OCTET STRING and with a comment that the value shall be as received in padata-value (basically just a copy of the whole DER-encoded padata-value value). The advantage though (besides  being shorter) is that we could now simply claim that the padata-value directly carries a freshness token, when non-empty. Is that what you were thinking?

Yes.  In addition to making the preauth-required error slightly shorter,
this change eliminates an implementation step and an exceptional case in
the client code required to implement the feature.

If we make this change and the PA-AS-FRESHNESS token sent by the KDC is
empty, I don't think the client should treat that as an exceptional
case; it should include an empty OCTET STRING value in the
freshnessToken field of the PKAuthenticator, like it would for any other
PA-AS-FRESHNESS padata-value.

v2.23.0 | Report a Bug | By Email